[Fedora-directory-users] Wishlist
Rich Megginson
rmeggins at redhat.com
Mon Jun 13 14:16:05 UTC 2005
jclowser at unitedmessaging.com wrote:
> Richard Megginson wrote:
>
>>
>>> Under Core Server Features:
>>> 1. Disable anonymous binds.
>>
>>
>> ...
>> Some security conscious sites feel that an anonymous connection
>> shouldn't even get to the data which is where the access control
>> information is stored. So they want the ability to cut them off
>> early in the BIND request processing.
>
>
> Hmm... If I remove the anonymous aci, and remove all the anonymous
> aci's in dse.ldif, what can anonymous see? Doing that seems to
> restrict anonymous from seeing anything. My guess is that you really
> need to change it from userdn="ldap:///anyone" (anonymous) to
> userdn="ldap:///all" (any entry that successfully bound to the server)
> instead of removig it entirely, or some things will break (i.e.
> clients that bind can't see what controls are available, what suffixes
> exist, etc).
>
> I can see wanting the ability to break the connection (or maybe return
> unwilling to perform) if a client attempts to perform a search or
> other operation before binding as something other than anonymous
> (and/or rejecting binds with empty bind dn and bind passwords), but
> I'm wondering if, with these aci changes, it will generally be
> "sufficient". Is there anything that is left that anonymous can see?
>
>>
>>> 2. Option to control resource limits specifically for anonymous.
>>
>>
>> ...
>> Right. But see above.
>
>
> Yeah - does modifying dse.ldif sufficiently cover this? I guess is
> comes down to who's asking this and why:
> a. A security expert, who wants to figure out how to 100% tie down
> everything, or
> b. An organization that wants to prevent anonymous from skimming
> their directory for things like email addresses to spam, or uid's to
> try to crack, personal info that can be abused in any number of ways,
> etc.
>
> My guess is my suggestion is good enough for b, but maybe not for a(?)
Right - a. This applies to the above as well. Anonymous might not be
able to "see" anything, but they are allowed to complete the BIND request.
>
>>
>>> Under Console Features:
>>> 2. Add host based access control to posixAccount/shadowAccount to
>>> determine who can
>>> log into what hosts.
>>> ...
>>
>>
>> I believe most apps use the 'host' attribute for this, which is
>> defined in the pilot schema. I don't know if this is a standard.
>> The best thing to do would be to create an AUXILIARY objectclass
>> (e.g. hostAccount?) and have the host attribute as an allowed
>> attribute. Then add that new objectclass to each entry (along with
>> posixAccount and shadowAccount and their required attributes). Does
>> anyone know if there is a standard for host access like this using
>> the 'host' attribute and, if so, is there a standard objectclass?
>
>
> yeah - I was writing this off the top of my head - there are likely
> some standard attributes out there that would be better used than what
> I suggested, but in any case, you'll have to do something like it to
> supplement posixAccount and shadowAccount, since these don't handle
> that. BTW - what is "standard" schema, other than that it's in an RFC
> and/or has an official oid assigned to it? That's always seemed kinda
> grey :)
That's usually what is meant.
>
>>> One note to make: purists would say DON'T create attributes and
>>> objectclasses on the fly like this.
>>
>>
> ...
>
>> Some would say that is a bug in our software :-) But in general,
>> it's better to use published RFC standards or at least informational
>> RFC's or Internet-Draft schema.
>
>
> Ya :) And I agree, but it's a nice thing to be able to do so solve
> things, esp if it's just being done as an internal fix like this.
> Looking briefly at rfc1274, it looks like host is an allowed attribute
> of account objectclass, so actually, the schema is all already there
> if you create users that have the account, posixAccount, and
> shadowAccount objectclasses, so it's just a matter of being able to
> configure the client machine to include this in the filter, falling
> back on aci's if not (though admittedly, doing this via aci's gets
> really ugly really fast, and probably doesn't scale well - one
> aci/client host?)
Unfortunately, the objectclass "account" is a structural objectclass,
which means you can't "mix it in" with other structural objectclasses
such as inetOrgPerson. So I think either the standard needs to be
revised to make account auxiliary, or create a new objectclass
(auxAccount?).
>
> - Jeff
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050613/5bf7235d/attachment.bin>
More information about the Fedora-directory-users
mailing list